Early Security Testing with Burp Suite Proxy: A Shift-Left Strategy
In today’s ever-evolving cybersecurity landscape, securing application endpoints remains a critical challenge. Despite current strategies and practices, attackers continue to find new ways to exploit vulnerabilities. If your company lacks awareness of application security testing tools such Burp Suite, especially in the early stages, you are vulnerable to attacks which can impact your company’s application, assets and reputation. This highlights the need for your company to be proactive, and to “shift-left”, which means including security processes early in the software development lifecycle.
Welcome to the “Shifting Left with Burp Suite” blog series! In this opening post, you’ll explore the Burp Suite Community Edition, discover its key benefits, get an overview of its interface, and learn how to use it as a Proxy.
Why Shifting Left Matters
Companies have a wide range of strategies and practices to secure application endpoints, from Threat Modeling to infrastructure security scanning. These efforts often include automated tools such as SonarQube, Snyk, and Wiz to identify and address vulnerabilities. While valuable, these tools sometimes miss vulnerabilities, leaving gaps that attackers can exploit. This is where Burp Suite comes in.
Introducing Burp Suite
Burp Suite is a set of cybersecurity tools designed for testing web applications. It is widely used by security professionals, including ethical hackers and penetration testers, however due to the recent shift-left movement software engineers are using this tool early on in the software development lifecycle. Burp Suite provides various features to help identify vulnerabilities in web applications during the development and testing phases. Key benefits include:
Customisable and Manual Testing: With Burp Suite, you can perform both automated scans and manual testing, allowing you to customise your approach to meet the specific needs of your application.
Proxy Functionality: The suite’s proxy feature lets you intercept and analyse HTTP/S traffic, giving you insight into how data is transmitted and helping you identify potential security issues. You can also modify requests and responses for more thorough testing.
Request Replay and Modification: Using the Repeater tool, you can replay HTTP requests and observe how the application responds, enabling you to simulate various inputs and uncover hidden vulnerabilities.
Automation of Attacks: With tools such as the Intruder, you can automate attacks such as brute force or parameter manipulation, helping you discover vulnerabilities that might go unnoticed during automated testing.
Burp Suite Community Edition
In this series, we will be using the Burp Suite Community Edition, which is free to download and available on Windows, Mac, and Linux. We will be using the Gin and Juice Shop, an e-commerce website created by PortSwigger, the company behind Burp Suite. This website is intentionally packed with vulnerabilities, let’s see what we can uncover. In this blog, we will focus on capturing traffic using the Proxy feature. Before we take a look at the Proxy, let’s take a look at the Burp Suite interface.
At a first glance, there is a lot going on — but let’s break this down. The Burp Suite Community Edition interface is organised into rows, each serving a distinct purpose. At the top, the menu bar gives you access to project configurations and help documentation. Below that, the tool tabs row allows you to switch between the various suite tools, including Proxy, Intruder, Repeater, and more. Further down, you’ll find specific actions for each tool, such as intercepting traffic and viewing HTTP history in the Proxy tool. Burp Suite also provides helpful instructions, with an orange button indicating an action, keep an eye out for this.
Intercepting Traffic with Burp Proxy
Burp Proxy is a tool for intercepting, inspecting, and modifying web traffic between your browser and target web applications. Here’s what makes it invaluable:
- Intercept and Modify Traffic: Capture and modify HTTP/S requests and responses in real time.
- Effortless History Management: Unlike tools like Developer Tools, Charles Proxy, or Postman, Burp Suite automatically saves your traffic history, ensuring no data is lost during your session.
- Deep Analysis Capabilities: After capturing traffic, you can inspect and manipulate HTTP(S) requests and responses, including headers, body content, and even API routes. This works with multiple data formats including: JSON, XML, URL-encoded data.
Let’s take a look how we can capture data from the Gin and Juice shop into Burp Suite.
- In BurpSuite, select
Proxy - Click on
Intercept - Select
Open browser - In your browser go to the https://ginandjuice.shop/
- Select
Products - Click on
Pineapple Edition Cocktail - Change the item quantity to
15 - Click on
Add to cart - Go back to Burp Suite
- Select
HTTP history - Find the
POST /catalog/cartrequest
In the request, you can see the request attributes, body parameters, cookies, request headers and response headers. You can also view the response.
What can we do with this?
Once we have the traffic, we unlock a wealth of possibilities:
- Identify insecure APIs or poorly configured endpoints.
- Modify captured requests to test the application’s response to unexpected inputs.
- Simulate attacks to uncover vulnerabilities before they become real threats.
In the next blog post, we will cover what we can do with this captured request to uncover vulnerabilities.
Summary
By integrating tools like Burp Suite into your development pipeline, you’re taking a proactive approach to security. This aligns with the shift-left movement, allowing your teams to identify and address vulnerabilities early, before they become costly or damaging.
Links
